Need help for create Opensearch correlation rule for detect brute force attack

Plugins Security Analytics
1

Hello everyone,

I am new to OpenSearch and currently exploring OpenSearch Security Analytics. I recently learned that correlation rules can be used to detect specific event scenarios. I would like to create a correlation rule to detect brute force attacks, but I am unable to find proper guidance or documentation on this topic.

Any assistance would be greatly appreciated.

Thank you.

2

Hi @sohil2306,

You can check this sample:

POST _plugins/_security_analytics/correlation/rules
{
  "name": "Brute Force Detection",
  "enabled": true,
  "description": "Detects multiple failed login attempts from the same IP within a short time",
  "log_sources": [
    {
      "index": "security-logs-*",
      "rule": {
        "name": "failed_login",
        "query": {
          "bool": {
            "must": [
              { "match": { "event.action": "failed_login" } }
            ]
          }
        }
      }
    }
  ],
  "correlation_conditions": [
    {
      "group_by": ["source.ip"],
      "time_window": "5m",
      "aggregation": {
        "count": {
          "field": "event.action",
          "value": 10
        }
      }
    }
  ],
  "severity": "high",
  "risk_score": 80
}

Best,
mj

3

I have pasted this code in my dev tool and it has created correlation rule but when i created my index with name “security-logs-cloudwatch” and paste some dummy data but still it is not creating correlation graph.

here is the data which i have filled in my index.
POST security-logs-cloudwatch/_bulk
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:00:00Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:00:30Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:01:00Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:01:30Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:00Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:30Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:40Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:50Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:55Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }
{ “index”: {} }
{ “@timestamp”: “2025-03-31T12:02:56Z”, “event.action”: “failed_login”, “source.ip”: “192.168.1.100”, “user.name”: “admin”, “message”: “Failed login attempt detected” }